7800N - IPV6 Firewall problems

Post Reply
kimbl1
Posts: 2
Joined: Sun May 24, 2015 3:50 pm

7800N - IPV6 Firewall problems

Post by kimbl1 » Sun May 24, 2015 4:05 pm

Apparent wierdness with the IPV6 side of the firewall config. Apparently packets are dropped before they hit the firewall - is anyone else using IPv6 with firewall rules?

Config - mail server with ports 22, 25, 80, 143, 465, 587 and 2525 open running the usual services. All works fine over V4. All works fine over V6 inside the local network. Plain routed system with no NAT at least on this part of it.

Connections to some ports (22, 80 and 2525) work fine. All the others don't. Of course they are the mail ports, so those are the ones I want...

I've tried opening specific ports from the web interface (and confirmed the config's gone through to ip6tables via an SSH shell on the router). I've tried a blanket "all ports, all protocols" rule - same.

I put a "log" rule in at the start of the "FORWARD" chain - even before the "PF_FWD" chain that does the normal work. That sees packets coming in on the ports that work, but doesn't see anything coming in on those that don't - so I think the packets are being dropped before they hit the ipv6 firewall rules (?!). I've confirmed with Wireshark on the sending end that packets are sent - ports that work get a normal connection sequence. Those that don't try, then retry - nothing comes back.

If it was another ISP I'd suspect filtering, but with AAISP I don't think it's likely.

Firmware 1.06h - was 1.06d before I upgraded to try and fix this - no apparent difference.


I wonder if it's related to viewtopic.php?f=9&t=31 - but not the same - I've no problem with the actual ip6tables rules getting passed through, it seems lower level than that...

Anyone any ideas?!

kimbl1
Posts: 2
Joined: Sun May 24, 2015 3:50 pm

Re: 7800N - IPV6 Firewall problems

Post by kimbl1 » Wed Jun 10, 2015 10:58 pm

Update - probably not a Billion problem...

It seems Digital Ocean have specific outbound filtering on their VPS instances. Not publicised, but OUTBOUND email ports are blocked - so the traffic never left my test point...

Post Reply